Cybersecurity specialist Alexander Hagena published a tool called Chrome-App-Bound-Encryption-Decryption, which allows users to bypass Google Chrome’s recently implemented encryption system Application-Bound (App-Bound) and extract saved accounts from the browser.
In July 2023, Google introduced the App-Bound Encryption Protection Mechanism in Chrome version 127. This system encrypts cookies using a Windows service with System rights to protect confidential information from infostealers. The goal was to prevent harmful software from deciphering stolen cookies without System privileges.
However, by September, attackers found ways to bypass this new protection system. Google acknowledged this ongoing battle, stating that they never considered protection mechanisms completely invulnerable but saw App-Bound as a fundamental step towards enhanced security.
Hagena made his App-Bound tool available on GitHub, providing access to the original code. According to the developer, the program decrypts app-bound keys stored in Chrome’s local state using the Inner COM service IELEVATOR.
To use the tool, users must copy the executable file to the Google Chrome directory (typically found at C:Program FilesGoogleChromeApplication) requiring administrator rights. Experts note that obtaining administrative privileges is relatively simple, especially for home users on Windows.
Researcher G0NJXA mentioned that Hagena’s tool showcases a basic method that many infostealers have already surpassed for extracting cookies from all Chrome versions. Russian Panda, a malware analyst, confirmed that Hagena’s method closely resembles earlier bypass techniques used after the implementation of App-Bound encryption.